Lattice Attacks Against Elliptic-Curve Signatures with Blinded Scalar Multiplication

  • Dahmun GoudarziEmail author
  • Matthieu Rivain
  • Damien Vergnaud
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10532)


Elliptic curve cryptography is today the prevailing approach to get efficient public-key cryptosystems and digital signatures. Most of elliptic curve signature schemes use a nonce in the computation of each signature and the knowledge of this nonce is sufficient to fully recover the secret key of the scheme. Even a few bits of the nonce over several signatures allow a complete break of the scheme by lattice-based attacks. Several works have investigated how to efficiently apply such attacks when partial information on the nonce can be recovered through side-channel attacks. However, these attacks usually target unprotected implementation and/or make ideal assumptions on the recovered information, and it is not clear how they would perform in a scenario where common countermeasures are included and where only noisy information leaks via side channels. In this paper, we close this gap by applying such attack techniques against elliptic-curve signature implementations based on a blinded scalar multiplication. Specifically, we extend the famous Howgrave-Graham and Smart lattice attack when the nonces are blinded by the addition of a random multiple of the elliptic-curve group order or by a random Euclidean splitting. We then assume that noisy information on the blinded nonce can be obtained through a template attack targeting the underlying scalar multiplication and we show how to characterize the obtained likelihood scores under a realistic leakage assumption. To deal with this scenario, we introduce a filtering method which given a set of signatures and associated likelihood scores maximizes the success probability of the lattice attack. Our approach is backed up with attack simulation results for several signal-to-noise ratio of the exploited leakage.


Elliptic Curve Signature Template Attacks Elliptic Curve Group Order Side Channel Attacks Unknown Block 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors were supported in part by the French ANR JCJC ROMAnTIC project (ANR-12-JS02-0004).


  1. [Bab86]
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)CrossRefzbMATHMathSciNetGoogle Scholar
  2. [Ble00]
    Bleichenbacher, D.: On the generation of one-time keys in dl signature schemes. Presentation at IEEE P1363 Working Group meeting, Unpublished, November 2000Google Scholar
  3. [BV15]
    Bauer, A., Vergnaud, D.: Practical key recovery for discrete-logarithm based authentication schemes from random nonce bits. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 287–306. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48324-4_15 CrossRefGoogle Scholar
  4. [CJ03]
    Ciet, M., Joye, M.: (Virtually) free randomization techniques for elliptic curve cryptography. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 348–359. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-39927-8_32 CrossRefGoogle Scholar
  5. [Cop96a]
    Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_16 CrossRefGoogle Scholar
  6. [Cop96b]
    Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_14 CrossRefGoogle Scholar
  7. [Cor99]
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). doi: 10.1007/3-540-48059-5_25 CrossRefGoogle Scholar
  8. [CRR03]
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). doi: 10.1007/3-540-36400-5_3 CrossRefGoogle Scholar
  9. [ElG84]
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). doi: 10.1007/3-540-39568-7_2 CrossRefGoogle Scholar
  10. [FGR13]
    Faugère, J.-C., Goyet, C., Renault, G.: Attacking (EC)DSA given only an implicit hint. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 252–274. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-35999-6_17 CrossRefGoogle Scholar
  11. [GGH97]
    Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997). doi: 10.1007/BFb0052231 CrossRefGoogle Scholar
  12. [GJM+11]
    Goundar, R.R., Joye, M., Miyaji, A., Rivain, M., Venelli, A.: Scalar multiplication on Weierstraß elliptic curves from Co-Z arithmetic. J. Cryptogr. Eng. 1(2), 161–176 (2011)CrossRefGoogle Scholar
  13. [HM09]
    Herbst, C., Medwed, M.: Using templates to attack masked montgomery ladder implementations of modular exponentiation. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 1–13. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00306-6_1 CrossRefGoogle Scholar
  14. [HMHW09]
    Hutter, M., Medwed, M., Hein, D., Wolkerstorfer, J.: Attacking ECDSA-enabled RFID devices. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 519–534. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01957-9_32 CrossRefGoogle Scholar
  15. [HS01]
    Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Cryptogr. 23(3), 283–290 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  16. [IMT02]
    Izu, T., Möller, B., Takagi, T.: Improved elliptic curve multiplication methods resistant against side channel attacks. In: Menezes, A., Sarkar, P. (eds.) INDOCRYPT 2002. LNCS, vol. 2551, pp. 296–313. Springer, Heidelberg (2002). doi: 10.1007/3-540-36231-2_24 CrossRefGoogle Scholar
  17. [JY03]
    Joye, M., Yen, S.-M.: The montgomery powering ladder. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003). doi: 10.1007/3-540-36400-5_22 CrossRefGoogle Scholar
  18. [KJJ99]
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_25 CrossRefGoogle Scholar
  19. [Kob87]
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  20. [Koc96]
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_9 Google Scholar
  21. [LLL82]
    Lenstra, A., Lenstra, H., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)CrossRefzbMATHMathSciNetGoogle Scholar
  22. [LPS04]
    Leadbitter, P.J., Page, D., Smart, N.P.: Attacking DSA under a repeated bits assumption. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 428–440. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28632-5_31 CrossRefGoogle Scholar
  23. [MHMP13]
    De Mulder, E., Hutter, M., Marson, M.E., Pearson, P.: Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 435–452. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40349-1_25 CrossRefGoogle Scholar
  24. [Mil86]
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). doi: 10.1007/3-540-39799-X_31 CrossRefGoogle Scholar
  25. [MO09]
    Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00306-6_2 CrossRefGoogle Scholar
  26. [Mon87]
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  27. [Nat00]
    National Institute for Standards and Technology. FIPS PUB 186-2: Digital Signature Standard (DSS). National Institute for Standards and Technology, Gaithersburg (2000)Google Scholar
  28. [NS02]
    Nguyen, P.Q., Shparlinski, I.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptol. 15(3), 151–176 (2002)CrossRefzbMATHMathSciNetGoogle Scholar
  29. [NS03]
    Nguyen, P.Q., Shparlinski, I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30(2), 201–217 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  30. [Sch91]
    Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Dahmun Goudarzi
    • 1
    • 2
    Email author
  • Matthieu Rivain
    • 1
  • Damien Vergnaud
    • 2
  1. 1.CryptoExpertsParisFrance
  2. 2.ENS, CNRS, Inria and PSL Research UniversityParisFrance

Personalised recommendations